It was revealed on Monday 29 October that an unpatched flaw in MS Office 2016 and earlier versions could allow attackers to implant malware onto users’ computers.
Cybersecurity researchers from Cymulate discovered alerted Microsoft about the flaw three months ago, shortly after they discovered it. However, Microsoft refuses to acknowledge the issue as a security flaw and say its software is “properly interpreting HTML as designed”. This lack of concerned response is what sparked Cymulate to now make the public aware of the flaw so they can protect themselves from this type of attack.
The flaw can be exploited by using the “online video” option the Word document. This feature allows users to embedded an online video with a link to YouTube. When the user does this, the feature generates an HTML embed script which can be executed by the user clicking on it.
Because of how world documents and the HTML words, an attacker could exploit this by replacing the legitimate YouTube video with a malicious video that would then be executed when clicked. Word documents are easy for attacks to edit should they gain access, alternatively attacks could send legitimate looking word documents with the malicious video link embedded in them, and convince a user to click on the link.
Cymulate has stated that the vulnerability is present on MS Office 2016 and older versions. It recommends that users don’t open email attachments from unknown senders or if you find anything suspicious about the email.
For Enterprise administrators, Cymulate recommends blocking word documents that contain the embedded video tag: “embeddedHtml” in the Document.xml file.
Its important for users to stay vigilant about their security and adhere to best safety practices when opening emails and word documents, this type of attack would be avoided by following these methods.